Privacy law in the 21st century: due for an update?

In honor of Data Protection Day (tomorrow, January 28) and its “Think Privacy” theme, let’s turn our attention to a few current efforts to bring legislated privacy requirements into the 21^st century. In Europe, privacy watchers are looking to Viviane Reding, the European Commission’s commissioner for information society and media, who has stated publicly that protection rights for personal data are among her top priorities. Now entering her third term in office, Reding has been appointed the commissioner for Justice, Fundamental Rights, and Citizenship for the EC’s 2010 session, and unnamed officials (the European press likes to use those unnamed sources too) purportedly close to Reding have suggested that one area of focus will be a review of the EU’s Data Protection Directive, which among other provisions constrains the collection and use (the broad general term in the EU law is “processing,” which encompasses more than two dozen operations in the official definition) of personal data by EU member countries. The Data Protection Directive was enacted 15 years ago, so it would seem that a least some European commissioners think it might be due for revision, or at least a close look to see if it covers modern information usage.

In the United States, one of the central privacy laws is the Privacy Act of 1974 that constrains U.S. federal government activities related to data collection, use, and disclosure. The Privacy Act has been amended since its enactment over 35 years ago, typically in cases where the advance of technology creates gaps in the law that Congress needs to fill, as was the case with the Computer Matching and Privacy Protection Act, which in 1988 amended (and became part of) the Privacy Act of 1974 to constrain the use of personal data in automated matching programs. In recent years both government and private sector bodies have called for revisions to the Privacy Act due to the significant changes both in information technology used to collect and process personal information and to evolving threats to privacy enabled by technology (identity theft, for example, has existed for many years but did not provide thieves the opportunity for substantial financial gain prior to the advent of automated banking technology). Last May, the Information Security and Privacy Advisory Board released a report including a recommended framework for federal privacy policy in the 21^st century. Also in process in both houses of Congress are bills that, among other provisions, would strengthen data protection standards in areas such as breach disclosure requirements and consumer empowerment. There are of course many important issues competing for government attention, but as the continued pace of technical change outstrips technical, policy, and regulatory governance mechanisms, it becomes more critical that the legal framework is adapted accordingly.